Strict Equality Check in withdrawFees() Causes Permanent Fund Lockup
Root + Impact
Root Cause: withdrawFees() uses strict equality (==) to compare contract balance with totalFees, which can be broken by force-sending ETH to the contract via selfdestruct.
Impact: Attacker can permanently lock all accumulated fees by sending 1 wei to the contract, making the equality check always fail.
Description
Normal Behavior: The owner should be able to withdraw accumulated fees when no active raffle is in progress.
Issue: The withdrawFees() function uses a strict equality check (==) to verify no players are active. If anyone sends ETH directly to the contract (via selfdestruct or other means), the balance will never equal totalFees, permanently locking the fees.
Risk
Likelihood:HIGH
-
Reason 1 : Any malicious actor can exploit this by sending 1 wei to the contract
-
Reason 2 : selfdestruct from another contract can force ETH into any address
Impact:
-
Impact 1:All accumulated fees become permanently locked
-
Impact 2: Owner can never withdraw any fees
Proof of Concept
In Ethereum, there are ways to force ETH into a contract that bypass any receive() or fallback() function:
selfdestruct: When a contract self-destructs, it sends its balance to a specified address, and the recipient cannot refuse
Recommended Mitigation
Instead of checking exact equality (which can be manipulated), check that the balance is at least equal to the fees to withdraw. Also, track player deposits separately to properly determine if a raffle is active.
Lead Judging Commences
[M-02] Slightly increasing puppyraffle's contract balance will render `withdrawFees` function useless
## Description An attacker can slightly change the eth balance of the contract to break the `withdrawFees` function. ## Vulnerability Details The withdraw function contains the following check: ``` require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!"); ``` Using `address(this).balance` in this way invites attackers to modify said balance in order to make this check fail. This can be easily done as follows: Add this contract above `PuppyRaffleTest`: ``` contract Kill { constructor (address target) payable { address payable _target = payable(target); selfdestruct(_target); } } ``` Modify `setUp` as follows: ``` function setUp() public { puppyRaffle = new PuppyRaffle( entranceFee, feeAddress, duration ); address mAlice = makeAddr("mAlice"); vm.deal(mAlice, 1 ether); vm.startPrank(mAlice); Kill kill = new Kill{value: 0.01 ether}(address(puppyRaffle)); vm.stopPrank(); } ``` Now run `testWithdrawFees()` - ` forge test --mt testWithdrawFees` to get: ``` Running 1 test for test/PuppyRaffleTest.t.sol:PuppyRaffleTest [FAIL. Reason: PuppyRaffle: There are currently players active!] testWithdrawFees() (gas: 361718) Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 3.40ms ``` Any small amount sent over by a self destructing contract will make `withdrawFees` function unusable, leaving no other way of taking the fees out of the contract. ## Impact All fees that weren't withdrawn and all future fees are stuck in the contract. ## Recommendations Avoid using `address(this).balance` in this way as it can easily be changed by an attacker. Properly track the `totalFees` and withdraw it. ```diff function withdrawFees() external { -- require(address(this).balance == uint256(totalFees), "PuppyRaffle: There are currently players active!"); uint256 feesToWithdraw = totalFees; totalFees = 0; (bool success,) = feeAddress.call{value: feesToWithdraw}(""); require(success, "PuppyRaffle: Failed to withdraw fees"); } ```
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.